The CERT Coordination Centre has issued a warning to users of the
Washington University FTP daemon (WU-FTPD) for Unix and Linux
systems that their servers could be invaded and taken over unless
patches are installed.
CERT said the vulnerabilities, if left open, could allow a hacker
to take total control of a computer system using remote root
capabilities.
Art Manion, an Internet security analyst at CERT, said the warning
was issued because the WU-FTPD program is very popular in the Unix
and Linux communities and has a large installed base.
"The potential is certainly there for it to be exploited," Manion
said. Unix and Linux vendors, including Caldera International, Red
Hat and SuSE Linux, have posted patches and advice. IBM's AIX Unix
does not ship with the WU-FTPD program, so is unaffected, while
Hewlett-Packard's HP-UX Unix has already been patched as part of a
fix for an earlier security issue.
WU-FTPD is a program providing file transport protocol (FTP)
services on Unix and Linux systems. CERT claims its inherent
vulnerabilities can expose a system to potential remote root
compromise by anyone with access to the FTP service.
The vulnerabilities involve two shortcomings in WU-FTPD. The first
is that the program cannot handle "glob" commands properly. Glob
commands allow a user to specify multiple filenames and locations
using typical shell notation. WU-FTPD implements its own globbing
code instead of using libraries in the underlying operating system.
The globbing code is designed to recognise invalid syntax and
return an error condition to the calling function.
However, when it encounters a specific string, the globbing code
fails to properly return the error condition, creating a hole that
an intruder could attack.
The other vulnerability appears when WU-FTPD is configured to use
RFC 931 authentication running in debug mode. When using RFC 931
authentication, WU-FTPD will request ID information before
authorising a connection request from a client. However, in
debugging mode, it becomes vulnerable to attacks by any user able
to log in, including those with anonymous access.
CERT confirmed that it has been the subject of a denial-of-service
attack for past several days, leaving its Web site unreachable at
times.
"The recent activity directed against the CERT Coordination Centre
Web site is not unique," said spokesman Bill Pollak. "On a daily
basis, the CERT/CC is the target of attack attempts by intruders,
and has been for many years.
"The nature of the protocols and technology used for the Internet
causes organisations to be dependent on the security of others.
Thus, no organisation, including the CERT/CC, is completely immune
to occasional service disruptions."